Meta Pixel Data Breach: An Overview

Technology has advanced rapidly over time, with precision targeting tools being some of its innovations. While these tools offer unlimited opportunities for advertisers and tech companies, they also pose a risk for consumers. On the list of many security breaches, experts have warned that these tools pose a significant risk of data breaches, with recently reported cases being traced back to Meta Pixel tracking software.  


What’s the Mata pixel tool, how is data compromised, and how do you protect your business? These are some topics we will cover in this article.

 

What is Meta Pixel Tracker Software? 

The Meta Pixel tracking tool is a JavaScript snippet code that collects and sends specific data to track behavior on a website. The Meta Pixel sends data packets to help advertisers deliver valuable adverts to the appropriate targeted audience. The tracking tool is embedded on the website, health portals, apps pages, etc., in strategic locations, including submit form buttons, website headers, and even password-protected pages. 


Meta Pixel Data Breaches: What Happened? 

It was reported that the Meta Pixel tools, which can gather and transmit non-sensitive data, may have malfunctioned, causing the breach to occur and sensitive information to be accessed. The overall cause of this error can be traced to system misconfiguration or Meta’s inability to filter sensitive information due to the large volume of data it receives daily.

More recently, multiple data breaches have led to the loss of over 5 million users’ data across different Organizations and systems.

Markup research reveals that about 33% of the top healthcare providers in the United States might have unknowingly shared protected health information (PHI) with Meta, directly violating the Health Insurance Portability & Accountability Act (HIPAA). 

The research analyzed 100 hospital systems in the US and found several of these websites had installed the Meta Pixel tracking tools, which sent patient data to third-party Media platforms. 

Markup reveals that Meta Pixel shared sensitive data such as full name, description of an allergic reaction, doctor information, and medication details without following due process.


How was Data Compromised? 

According to Meta, the software collects primary behavior-related data like IP address, buttons clicked, and website pages visited. This information is then encrypted and filtered for any sensitive information before transmitting it to the Meta server. However, this has yet to be the case. 

Various healthcare providers have noticed that using the Meta tracking tool on their website for campaign measures results in unauthorized data access and sharing issues. 

Rather than send specific information, the devices also send patients data such as names, doctor appointments, allergic reactions, medications, and health challenges. Some healthcare providers have also reported possible unauthorized access to sensitive data, including social security numbers and financial details, entered in free text boxes embedded on website pages or password-protected pages with Meta Pixel installed. 


Health Care Privacy Challenges. 

The HIPAA and other healthcare privacy policy statutes have clear rules on data sharing and storage requirements. 

In a recent statement, the US Department of Health and Human Services Office for Civil Rights (OCR)  stated that: “Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of Protected Health Information (PHI) to tracking technology vendors or any other violations of the HIPAA Rules.”

A North Carolina-based healthcare provider, Wakemed health & hospital, has notified authorities of a data breach exposing the sensitive data of about 500,000 patients. They identified the cause of the data breach as the use of user behavior tracking software Meta Pixel. 

The statement claims that select information like email address, phone number, novel coronavirus vaccine status & appointment date were also part of the data accessed and sent to third parties. 

Although there’s no clear indication of financial and social security information exposure, they affirm that Meta Pixel can access this information if entered into the free text box section on their health portal. This discovery raises further concern about the extent of data access and its uses.

Further data breaches have also been traced to Mata Pixel misconfiguration in the health sector. Healthcare provider advocates Aurora Health, a Midwest health system, also suffered from a significant data breach as reported to authorities. The health system provider says Meta Pixel may have accessed over 3 million individuals’ data. In August 2022, another healthcare provider, Novant Health, reported a possible data breach by Meta Pixel, leading to unauthorized access to over 1 million patients’ data posing a significant risk to privacy and patient safety. 


Legal and Healthcare Insurance Challenges

Aside from the safety issues for patients and healthcare providers, it also raises significant concerns for health insurance providers, healthcare lawyers, and healthcare management. In recent times, there have been multiple class action lawsuits against healthcare providers resulting in significant settlement payouts by the healthcare insurance providers. 

In the case of Boston-based Mass, General Brigham agreed to a total sum of $18 million to settle a class action suit over their use of third-party tracking tools (Meta Pixel inclusive) but denied any wrongdoings. 

In a related John Doe and Jane Doe class actions lawsuit, the plaintiff claimed Health care providers and Meta Pixel knowingly collected confidential data without their consent. One applicant alleged that over 664 medical providers and systems had sent sensitive data to Meta through its pixel-tracking tools. 

While another complainant alleges Meta showed her targeted ads based on her heart disease and joint pain, which she found as a breach of the privacy policy. 


How to Protect Your Business? 

Technology is evolving daily. From data management tools to precision data tracking and collection tools powered by sophisticated technology, there’s an unlimited number of things that could go wrong. While measures and policies are constantly enacted to curb unauthorized data access and lock malicious actors out of these systems, there’s still much to be done. With the ravaging cases of a data breach, you can take preventive and corrective measures to protect your business.

  1. Review Websites to identify all third-party tracking tools and confirm that the data collected complies with privacy laws. 
  2. Consult your broker to review your cyber insurance policy and discuss potential regulatory fines, penalties, and wrongful collection coverage options.
  3. Hire a cybersecurity firm to set up security measures to restrict the depth of data exposure to hackers or third-party tools like the Meta Pixel.
  4. Disable Meta Pixel and third-party tracking tools from pages that accept sensitive information from patients and consumers.
  5. Ensure your website privacy policy is clear and provides the option to “opt-in” to tracking in cases where you have to deploy tracking tools.
  6. Develop a process to vet and approve third-party tracking, including IT Security and Legal measures.
  7. In cases where you need to install a third-party tracking tool, run simulation tests on everyday website activities, and ensure only data is appropriately collected and transmitted.

At Cyberclan, we help organizations build a more robust, advanced, and comprehensive cybersecurity strategy through our proactive risk management services. Our methodology identifies Cybersecurity risks and vulnerabilities, builds secure architecture, and strengthens existing systems. We deploy services, including Phishing Simulation Programs, Tabletop Exercises, Incident Response Plans, and Policy Development to help you protect your systems and avoid litigation from data breaches. 

Contact us to Implement a robust and secure security infrastructure for your healthcare care system. 



Knowledge Base

Ransomware: Pay or Don’t Pay? A Guideline for Ethical Decision-Making

In February 2021, CD Projekt Red revealed that it had been the victim of a ransomware attack. However, the company made no ran...

Read More +

5 Challenges Uninsured Businesses Face while Obtaining Insurance After a Cyber Breach

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 800, 944 reported cybersecurity complaints, with losses ex...

Read More +

Clop Ransomware Group specifically targets Healthcare Industry in Data Breaches

The IBM 2022 cost of data breach report revealed that the healthcare industry suffered losses of $10.1 million per data breach....

Read More +
CyberClan CyberClan CyberClan CyberClan